Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Bad guys are watching for new openings in your cloud, are you?

Published 07/30/2021

Bad guys are watching for new openings in your cloud, are you?

This blog was originally published by Sysdig here.

Written by Janet Matsuda, Sysdig CMO.

You see the headlines, and perhaps, ‘thank goodness it wasn’t us’ flickers through your mind. An overly permissive web server exposes 100 million+ consumer credit applications, or an S3 bucket leaves hundreds of millions of user records open to the public. A nightmare scenario for any CISO and their cloud security team!

According to Gartner “Customer misconfiguration of cloud resources is the leading cause of data loss in the cloud environment.”[1] But how do you stay on top of misconfigurations in the world of the cloud, where any employee can quickly sign up for a new service? Accelerating application delivery means letting go of control, and allowing more people to make changes. New ways to monitor changes are required with a DevOps approach.

Schedule cloud security checks

Cloud security posture management (CSPM) tools can be used by security teams to discover cloud assets used by their organization. These tools also check configurations against CIS benchmarks as a best practice for reducing risk. These checks are run periodically, normally daily.

However, attackers recognize that cloud configurations are changing constantly. They have automated bots that are continually hunting for openings they can exploit to steal data. This means you can’t afford to rely on periodic checks. Instead, you need to be aware of changes to configurations as they are made, in real time.

Watch for suspicious behavior

The importance of monitoring configuration changes is highlighted by a 2020 Microsoft breach. This breach of a customer database that stored anonymized user analytics inadvertently exposed 250 million entries. Unfortunately, an Azure server adopted a configuration change that made this data public.

Now is the time to make sure you have a continuous approach to cloud security posture management to avoid exposing confidential data. It also makes sense to consider how cloud security fits into your overall security stack as you secure applications deployed using a DevOps workflow.

First, let’s think about the continuous approach. Cloud logs have a record of activity across all of the services available from your cloud provider. By inspecting these logs you can identify unexpected changes, as well as suspicious behavior that could indicate a breach. Security teams are using rules mapped to industry-standard frameworks, such as the MITRE ATT&CK@ framework, to alert on suspicious activity. The tool you use should have a flexible rules engine so you can customize alerts based on your organization’s priorities. The rules should also be able to detect threats across all services captured in the logs.

You should also consider how the tool analyzes the cloud logs. Some tools require that you export the logs to their data store, and then inspect for changes and threats. This requires you to pay egress charges, along with storage of the cloud logs. The more efficient approach is to analyze this data in real time as it is produced, using a streaming approach. Then, only the results are sent back to the tool. These savings can really add up over time. Of course, a simple pricing model is a good idea as well.

Implement DevOps, but also Secure DevOps

As organizations move to the cloud, they realize a DevOps approach with a continuous integration / continuous delivery (CI/CD) pipeline is required to realize the agility benefit they want. As you adapt your organization to deal with the new world of DevOps, containerized microservices and Kubernetes, you need a new security stack. The current stack based on a proprietary, firewall mindset slows application delivery. Secure DevOps is not only ‘shift left,’ to secure the build, but also ‘roll right’ for detection and response. Effective security requires deep visibility with rich context, and the tooling must be designed specifically for this new environment.

Cloud and container security tools are consolidating into platforms that can secure cloud services and workloads. It makes sense to use a unified platform across containers and cloud for security, compliance, monitoring and troubleshooting. A unified platform can highlight lateral movement of threats traversing containers and cloud services. It should also reduce the number of tools that are required and provide a single source of truth for security and DevOps teams. Maintaining consistency in rules and frameworks saves time in training and improves efficiency. Lastly, selecting a platform that works across multiple clouds will simplify operations.

The Future of Security is Open

Core technology choices made by vendors drive the speed of innovation and the degree of interoperability between tools. Today, the CI/CD pipeline is mainly built on open source tools -- Kubernetes, Jenkins, GitLab, etc. Security has traditionally been closed, but it’s now clear the pace of innovation cannot be constrained by proprietary development models. Contributions by the community accelerate innovation, which is critically important in the security space. We need the best minds to contribute ideas to stay ahead of attackers. Many of the open source security projects, like Falco, OPA and Cloud Custodian, allow contributions on multiple levels. Programmers contribute code and security teams contribute rules for detecting threats and validating compliance.

Open source is also increasing in popularity for the same reason Linux replaced the many versions of Unix. IT leaders prefer to adopt a standard they know will stand the test of time. Kubernetes is now the de facto standard for orchestrating containers. Prometheus is quickly becoming the open standard for collecting metrics from applications, making it easier to monitor application performance with a consistent set of tools.

With organizations like the Cloud Native Computing Foundation (CNCF) providing governance, sharing best practices and code across the industry has become practical. Broad adoption of standards and sharing of code within the community makes integration into your existing environment straightforward. For example, an open source community member created falcosidekick with the sole purpose of integrating Falco with other open source and commercial tools. Since being made public, it has been downloaded more than 450,000 times.

Open source security standards are starting to emerge. As we see how downloads for these projects keep accelerating, and being integrated into commercial products used by hundreds of teams, it is clear that open source security is gaining ground.

The journey to the cloud has accelerated for most companies over the past 12 months. The change is a seismic shift that impacts people, processes and technology. Managing teams through the change can be the biggest challenge. If you make the right technology choices, the technology can make it easier for the people as they change their roles and processes.


[1] Gartner “Solution Path for Security in the Public Cloud ,” Richard Bartley, January 30, 2020.

Share this content on your favorite social network today!